Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Rule type: threshold
Risk score: 73
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
- Credential Access
Added (Elastic Stack release): 8.0.0
Rule authors: Elastic
Rule license: Elastic License v2
## Config This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold rule cardinality feature.
event.category:process and event.code:10 and winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or "c:\\Windows\\system32\\lsass.exe" or "c:\\Windows\\System32\\lsass.exe")